CVE-2024-31864 — Apache Zeppelin remote code execution by adding malicious JDBC connection string

Description

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Zeppelin. The attacker can inject sensitive configuration or malicious code when connecting MySQL database via JDBC driver. This issue affects Apache Zeppelin: before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue.

How to fix CVE-2024-31864

To remediate CVE-2024-31864, upgrade the affected package to a fixed version below.

—upgrade to 0.11.1 or later

Is CVE-2024-31864 being exploited?

Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.11.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-31864
PATCHgithub.com/apache/zeppelin
WEBgithub.com/apache/zeppelin/commit/e65b5430e43c076c138a1f56e3f2aba1324118f2
WEBgithub.com/apache/zeppelin/pull/4709
WEB